1. Technical Field
This application relates to managing knowledge-based authentication systems.
2. Description of Related Art
The computer systems include proprietary and non-proprietary computer networks, and often store, archive, and transmit all types of sensitive information. Many computer users and other entities have systems that utilize some form of security. Therefore, there often arises a need to prevent all but selected authorized persons from being able to carry out some defined transaction or to gain access to electronic equipment or other system, facility or data. Preventing unauthorized clearance or access typically involves devices which limit access to the subject data, facility, or transaction to those who possess a unique physical device, such as a key or who know a fixed or predictable (hereinafter “fixed”) secret code. In at least some cases, relying on a fixed code or unique physical device as the means to control such selective clearance or access can mean that would-be unauthorized users need only obtain possession of the fixed code or unique device to gain such clearance or access. Typical instances of fixed codes include card numbers, user numbers or passwords issued to customers of computer data retrieval services.
Thus, one common solution for employing identity verification as a security-enhancing feature of enterprise systems that may be at risk for fraud or similar misuse is the use of secret passwords known only to actual authorized users of an enterprise system or service. In operation, it is necessary for a user to present the correct password before access is granted to data or functions of the service. The use of the correct password serves to verify a user's identity to an acceptable confidence level on the assumption that passwords are kept secret and are not easily guessable. However, passwords provide little security in that they are generally susceptible to inappropriate access, through either brute-force attacks or through phishing. Phishing is the sending of electronic communication that claims to be from some web-site in order to trick the recipient into revealing information for use in having the user reveal information such as his username and password. The user is often directed to a web-site that looks like the actual web-site in question and may silently redirect the user to the real web site after collecting their username and password or use a man-in-the-middle server.
Another identity verification technique is referred to as “knowledge-based authentication” or KBA. KBA employs one or more challenge questions whose answers are typically intended to be readily recalled by the actual known user (referred to as the “genuine” user) while being unknown and difficult to guess by another person posing as the known user (referred to as the “fraudster”). KBA questions require data that is specific to the known user.
A knowledge-based identity verification system receives and processes a verification request to verify the identity of a current user as the known user. The knowledge-based authentication system forms one or more questions. The question or questions are then presented to the user. When the user responds, the response supplied by the user is compared to a valid response to the question. The result of the comparison can serve as a basis for increased or decreased confidence in the identity of the current user, and corresponding actions may be initiated. If the comparison between the responses supplied by the user and the correct responses are true, the user is allowed access to the target of the authentication. Otherwise, the user is not authenticated. For example, the identity verification system may provide an output indicating whether the comparison resulted in a match, indicating that the current user answered the challenge question(s) correctly. This output may be used by a protected service to make a decision whether to allow a transaction or access to protected data or functionality.
An information validation service known as RSA Identity Verification or Verid created by RSA, The Security Division of EMC, Bedford, Mass., compiles, and enables verification of the identity of a user through inquiries into public record or publicly available information regarding the user's status and/or activities. It is not expected that the user would necessarily answer all questions to correspond exactly to the answers on file. Thus, there is a usual threshold set such as a majority of the questions, for example 2 out of 3 questions, will qualify as a pass, or alternatively for example, 2 out of 3 questions could trigger a second round of an additional number of questions. Based on the strength of the user's assertion, various options are available including posing further questions and/or re-directing the user to an alternate authentication approach.
In particular, Verid provides a question based screened verification method that includes asking an individual questions regarding the individual's asserted identity at an authorized location to determine whether the individual's asserted identity is correct.
Conventional knowledge-based authentication (KBA) involves deriving questions regarding a particular user from facts in a publicly available database, and asking that user one or more of the derived questions to verify the authenticity of the user. For example, conventional KBA accesses facts such as addresses, mortgage payments, and driving records from a LexisNexis® server, a credit bureau or a motor vehicle registry.
Suppose that a user wishes to make a purchase at a store using a store account. In conventional KBA, the store may ask the user a set of questions derived from a set of facts concerning the user in order to complete the purchase. Such questions may include “when were you married?”, “what was the make and model of your first car?”, and “what was the name of your first pet?”. If the user answers the questions correctly, the store completes the purchase. On the other hand, if the user answers questions incorrectly, the store may take remedial steps to verify the authenticity of the user. For example, the store may ask for further proof of identity such as a driver's license.
Unfortunately, there are deficiencies with the above-described conventional KBA. For example, facts obtained from a publicly available database may be known by members of the public. Consequently, KBA questions and responses derived from such facts may be insecure because an imposter may have examined facts relevant to a particular legitimate user.